CN104205080B - Unloading packet transaction is virtualized for networked devices - Google Patents
Unloading packet transaction is virtualized for networked devices Download PDFInfo
- Publication number
- CN104205080B CN104205080B CN201380015731.7A CN201380015731A CN104205080B CN 104205080 B CN104205080 B CN 104205080B CN 201380015731 A CN201380015731 A CN 201380015731A CN 104205080 B CN104205080 B CN 104205080B
- Authority
- CN
- China
- Prior art keywords
- network packet
- virtual machine
- virtual
- rule
- action
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/34—Signalling channels for network management communication
- H04L41/342—Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Abstract
The present invention relates to the method, system and computer program product for unloading packet transaction for networked devices virtualization.Host maintenance is used for the rule set of virtual machine, and physical network interface card (NIC) safeguards the flow table for the virtual machine.Physics NIC is received and is handled the network packet associated with the virtual machine.The network packet is handled flow table of the network packet at physics NIC compares including physics NIC.When the network packet matches with the stream in the flow table at physics NIC, physics NIC performs action based on the matching stream to the network packet.Or when the network packet does not match with the stream in the flow table at physics NIC, the network packet is transferred to the main partition and handled with compareing the rule set by physics NIC.
Description
Background
1. background and correlation technique
Computer system and many aspects of related technology affect society.Really, the ability of computer system processor information
The mode of people's live and work is changed.Now, computer system was generally performed before computer system appearance manually
The many tasks (for example, word processing, schedule, administration of accounts etc.) performed.Recently, computer system is coupled to each other and coupling
The wired and nothing of electronic data can transmitted thereon to form computer system and other electronic equipments by closing other electronic equipments
Computer on line network.Therefore, the execution of many calculating tasks is distributed in multiple different computer systems and/or multiple different
In computing environment.
Some computer systems are configured to provide the virtualized environment for trustship (host) one or more virtual machines.
For example, parallel virtual performing environment includes management program (hypervisor).Management program provides parent partition and one or more
Individual child partition (i.e. virtual machine).Parent partition is configured to run master operating system and manages virtual stack.Each child partition is configured
Into the corresponding objective operating system of operation.Management program, which also provides, enables child partition virtually to be set by what is run in objective operating system
Standby (driver) accesses the software interface of physical equipment.
A common scene in virtualization is to manage the net between the virtual machine that virtualized host computer systems division performs
Network is grouped, and manages these virtual machines and the network flowed between the long-range computer system of host computer system point
Group.In this way, the virtualization at master operating system may include networked virtual stack or virtual switch.Virtual switch is configured to
Interception, check and manipulate the network packet to be communicated in the connection between each virtual machine.However, so do be probably it is poorly efficient,
Because this causes the context of frequent and expensive (for example, in CPU uses) between master operating system and objective operating system
Switching.
The nearest development of virtualization has been single (single-root) I/O virtualizations (SRIOV).SRIOV is periphery
The extension of quick (PCIe) bus architecture of component interconnection, it enables PCIe device directly to lead to parent partition and child partition
Letter.In this way, SRIOV enables PCIe device that its own is directly exposed into virtual machine (passing through management program).Such as, it then follows
SRIOV physical network interface card (NIC) can to main partition present a physical function and to corresponding child partition present one or
Multiple virtual functions.Master operating system then may include the physical function driver to be communicated with physical function, and each visitor's operation
The executable virtual function driver with the communication of corresponding virtual functions of system.Physics NIC then can directly with objective operating system
Network packet (bypassing master operating system) is transmitted, this can substantially improve network performance.
Although SRIOV brings advantage, but still suffered from the network packet process field in virtualized environment some
It is poorly efficient.
Brief overview
The present invention relates to method, system and the computer program production for virtualizing unloading packet transaction for the network equipment
Product.For example, embodiments of the invention provide a kind of universal network rule of classification and flow model, it makes the net at virtual machine host
A part for network packet transaction can be offloaded from a host to physics NIC.Specifically, embodiments of the invention cause parent partition
All or part of in one or more flow tables at (that is, master operating system) place can be discharged into physics NIC.This is done so that
Physics NIC can perform packet transaction according to the rule of definition, while improve the property of the processing of the network packet in virtual machine environment
Energy.
In certain embodiments, a kind of method bag for the virtual machine processing network packet for being used to perform in computer systems division
Include main partition and safeguard one or more rule sets for virtual machine.This method is also safeguarded for the virtual machine including physics NIC
One or more flow tables.Physics NIC receives the network packet associated with the virtual machine, and handles the net for the virtual machine
Network is grouped.The network packet is handled the network packet compares with one or more flow tables including physics NIC.When the net
When network packet matches with the stream in one or more flow tables, it is dynamic to network packet execution that physics NIC is based on matching stream
Make.Alternatively, when the network packet does not match with the stream in one or more flow tables, physics NIC divides the network
Group is delivered to main partition and handled with compareing one or more rule sets.
It is a kind of to be used to be the method in the virtual machine processing network packet of computer systems division execution in other embodiment
Safeguard one or more rule sets for virtual machine including virtual switch and also safeguard for one of the virtual machine or
Multiple flow tables.At least a portion of one or more flow tables is unloaded to physics NIC by the virtual switch.The virtual switch
Machine is that the virtual machine handles network packet.Handle network packet include the virtual switch from the virtual machine or physics NIC it
One receives the network packet, and the virtual machine matches the network packet and the rule in one or more rule sets.Base
Match in by the network packet and the rule, the virtual switch creates in one or more flow tables to flow and flow this
It is unloaded to physics NIC.
This general introduction be provided be in order to introduce in simplified form will be described in detail below in further describe some are general
Read.This general introduction is not intended to the key feature or essential feature for identifying theme claimed, is intended to be used to help really
The scope of fixed theme claimed.
The supplementary features and advantage of the present invention will describe in the following description, and one part will be aobvious according to this description
And be clear to, or can be known by the practice to the present invention.The features and advantages of the present invention can be by wanting in appended right
The instrument particularly pointed out in book and combination are asked to realize and obtain.These and other feature, the advantages and features of the present invention will
Become more apparent from according to the following description and the appended claims, or can be by such as hereafter illustrating to reality of the invention
Trample and know.
Brief description
, will be by reference to being shown in accompanying drawing in order to describe to obtain the mode of the above and other advantages and features of the present invention
Specific embodiment of the invention be presented described briefly above of the invention be discussed in greater detail.It is appreciated that these accompanying drawings
The exemplary embodiments of the present invention are only described, so as to be not considered limiting of its scope, the present invention will be used by using accompanying drawing
Supplementary features and details are described and illustrated, in the accompanying drawings:
Fig. 1 diagrams promote as networked devices virtualize and packet transaction is unloaded to physics NIC example computer architecture
Structure.
Fig. 2 illustrates the flow of the exemplary method for handling network packet for the virtual machine that is performed in the computer systems division
Figure.
Fig. 3 illustrates the alternative exemplary method for handling network packet for the virtual machine that is performed in the computer systems division
Flow chart.
Fig. 4 diagrams promote as networked devices virtualize and packet transaction is unloaded to physics NIC replacement computer architecture
Structure.
Fig. 5 diagrams include the example computer architecture of the layer of exemplary multi-layer virtual switch.
It is described in detail
The present invention relates to method, system and the computer program production for unloading packet transaction for networked devices virtualization
Product.For example, embodiments of the invention provide a kind of universal network rule of classification and flow model, it makes the net at virtual machine host
A part for network packet transaction can be offloaded from a host to physics NIC.Specifically, embodiments of the invention cause parent partition
All or part of in one or more flow tables at (that is, master operating system) place can be discharged into physics NIC.This is done so that
Physics NIC can perform packet transaction according to the rule of definition, while improve the property of the processing of the network packet in virtual machine environment
Energy.
In certain embodiments, a kind of method bag for the virtual machine processing network packet for being used to perform in computer systems division
Include main partition and safeguard one or more rule sets for virtual machine.This method is also safeguarded for the virtual machine including physics NIC
One or more flow tables.Physics NIC receives the network packet associated with the virtual machine, and handles the net for the virtual machine
Network is grouped.The network packet is handled the network packet compares with one or more flow tables including physics NIC.When the net
When network packet matches with the stream in one or more flow tables, it is dynamic to network packet execution that physics NIC is based on matching stream
Make.Alternatively, when the network packet does not match with the stream in one or more flow tables, physics NIC divides the network
Group is delivered to main partition and handled with compareing one or more rule sets.
It is a kind of to be used to be the method in the virtual machine processing network packet of computer systems division execution in other embodiment
Safeguard one or more rule sets for virtual machine including virtual switch and also safeguard for one of the virtual machine or
Multiple flow tables.At least a portion of one or more flow tables is unloaded to physics NIC by the virtual switch.The virtual switch
Machine is that the virtual machine handles network packet.Processing network packet connects including the virtual switch from the virtual machine or physics NIC
The network packet is received, and the virtual machine matches the network packet and the rule in one or more rule sets.Based on general
The network packet matches with the rule, and the virtual switch creates in one or more flow tables to be flowed and unload the stream
To physics NIC.
Various embodiments of the present invention may include or include all using special or all-purpose computer, the special or all-purpose computer
Such as for example computer hardware of one or more processors and system storage, as discussed in detail below.The present invention
In the range of each embodiment also include be used for carry or store computer executable instructions and/or the physics of data structure and other
Computer-readable medium.Such computer-readable medium can be can by any of universal or special computer system accesses
Use medium.The computer-readable medium for storing computer executable instructions is computer-readable storage medium (equipment).Load capacity calculation machine
The computer-readable medium of executable instruction is transmission medium.Therefore, unrestricted as example, various embodiments of the present invention can
Include the computer-readable medium of at least two significantly different species:Computer-readable storage medium (equipment) and transmission medium.
Computer-readable storage medium (equipment) includes RAM, ROM, EEPROM, CD-ROM, solid-state drive (SSD) and (is such as based on
RAM), flash memory, phase transition storage (PCM), other kinds of memory, other optical disc storages, disk storage or other magnetic storages
Equipment or available for the required program code devices of storage computer executable instructions or data structure form and can by general or
Any other medium that special-purpose computer accesses.
" network " is defined such that electronic data can be in computer system and/or module and/or other electronic equipments
Between one or more data link for transmitting.When information by network or another communication connection (hardwired, it is wireless or
Hardwired or wireless combination) transmission or when being supplied to computer, the connection is properly viewed as transmission medium by the computer.Pass
Defeated medium may include to can be used for the required program code devices for carrying computer executable instructions or data structure form and can be by
The network and/or data link that universal or special computer accesses.Combinations of the above should also be included in computer-readable medium
In the range of.
In addition, after various computer system components are reached, the journey of computer executable instructions or data structure form
Sequence code device can be automatically transferred to computer-readable storage medium (equipment) (or vice versa as the same) from transmission medium.For example, pass through net
The computer executable instructions or data structure that network or data link receive can be buffered in Network Interface Module (for example,
" NIC ") in RAM in, be then ultimately transmitted to computer system RAM and/or the less volatibility of computer systems division
Computer-readable storage medium (equipment).Also utilized (even accordingly, it should be understood that computer-readable storage medium (equipment) can be included in
It is main to utilize) in the computer system component of transmission medium.
Computer executable instructions for example including, when at processor perform when make all-purpose computer, special-purpose computer or
Dedicated treatment facility performs the instruction and data of a certain function or certain group function.Computer executable instructions can such as two be entered
Code processed, the intermediate format instructions of such as assembler language etc or even source code.Although moved with architectural feature and/or method
Make special language and describe this theme, it is to be understood that, subject matter defined in the appended claims is not necessarily limited to above-mentioned spy
Sign or action.More specifically, features described above and action are disclosed as the exemplary forms for realizing claim.
It will be apparent to one skilled in the art that the present invention can be in the network of the computer system configurations with many types
Put into practice in computing environment, these computer system configurations include personal computer, desktop computer, laptop computer, message
Processor, portable equipment, multicomputer system, based on microprocessor or it is programmable consumer electronic device, network PC, small-sized
Computer, mainframe computer, mobile phone, PDA, flat board, pager, router, interchanger etc..The present invention also can be wherein
Hardwired and wireless data link (either by hardwired data links, wireless data link or are passed through by network linking
Combination) both local and remote computer systems be carried out implementing in the distributed system environment of task.It is in distribution
Unite in environment, program module can be located locally with both remote memory storage devices.In certain embodiments, it is of the invention
It can be realized with reference to the physics NIC for following SRIOV, however, the scope of the present invention is extended to outside SRIOV.
Embodiments of the invention operate with reference to the main frame (for example, root partition) for performing one or more virtual machines.The master
Machine includes virtual switch, and the virtual switch performs the packet transaction for the network packet for being sent and/or being received by the virtual machine
(for example, inspection and possible manipulation).For example, embodiments of the invention can handle Internet protocol (IP) packet, restrain with
Too online RDMA (RoCE) is grouped, the fiber channel (FCoE) on Ethernet is grouped etc..In addition, embodiments of the invention provide
General rule and flow model, it allows at least a portion of packet transaction to be offloaded from a host to physics NIC, such as Ethernet
NIC, WiMAX NIC or other kinds of physical fibers.Therefore embodiments of the invention allow in general manner to be grouped
Processing, thereby eliminate the needs that different virtual switch modules are developed for different types of packet transaction.
Specifically, embodiment include by one or more flow tables (or part thereof) be unloaded to physics NIC and (such as follow
SRIOV physics NIC).So so that the virtual bridge at physics NIC is able to carry out packet transaction, similar to virtual at main frame
Interchanger.If for example, receiving packet at physics NIC, the virtual bridge can be by the group match to the stream unloaded.The thing
Virtual bridge at reason NIC can be taken for the stream suitably to be acted without regard to main frame.So doing eliminates with carrying out institute at main frame
Regular/stream packet transaction is associated poorly efficient.
Referring now to Figure 1, Fig. 1 diagrams promote as networked devices virtualize and packet transaction is unloaded into showing for physics NIC
Example Computer Architecture 100.As illustrated, Computer Architecture 100 includes main frame 102, virtual machine 108 and physics
NIC 110。
Main frame 102 provides virtualized environment.For example, main frame 102 may include parent partition (it performs master operating system) and one
Individual or multiple child partitions.Each child partition can be considered as providing the void for being used for performing corresponding virtual machine (such as virtual machine 108)
Planization hardware environment.In certain embodiments, main frame 102 is used as providing one of cloud computing environment of virtual machine to tenant
Point.
Each virtual machine (including virtual machine 108) performs one or more virtualization applications, such as operating system, using soft
Part etc..As illustrated, virtual machine 108 includes network stack 108a (for example, TCP/IP stacks), virtual NIC driver 108b, Yi Jixu
Intend function actuator 108c.Use network stack 108a, virtual NIC driver 108b and virtual function driver 108c, virtual machine
108 can be sent by main frame 102 on data path 114 on virtual bus 106 and/or by physics NIC 110 and/or
Receive network packet and other information.
Physics NIC 110 includes being virtualized and using one or more external interfaces (for example, shown physics connects
126) mouth is connected to the physical hardware of other computer systems and/or network.Although merely illustrating a physics NIC, but count
Calculating machine architecture may include any amount of physics NIC.Physics NIC 110 includes virtual bridge 112.The bridge material of virtual bridge 112
Manage the virtual functions at NIC 110 and physical function and perform packet inspection and manipulation.At virtual bridge 112 and main frame 102
Virtual switch 104 works together to be communicated with regulating networks, as described in greater detail below.In this way, physics NIC 110 can be incited somebody to action
One or more virtual functions show one or more virtual machines of the trustship at main frame 102.In addition, physics NIC 110 can
One or more physical functions are showed into main frame 102.
For example, Fig. 1 shows that physical function 122 is presented to main frame 102 by physics NIC 110.Fig. 1 also shows that main frame 102 wraps
Include corresponding physical function driver 124, and data path 118 is by the physical function 122 and main frame at physics NIC 110
Physical function driver 124 at 102 is connected.In this way, physical function 122 and physical function driver 124 it is operable with
Exchange network is grouped between physics NIC 110 and main frame 102.For example, physical function driver 124 can be with the void at main frame 102
Intend interchanger 104 to communicate, and physical function 122 can communicate with the virtual bridge 112 at physics NIC 110.
Fig. 1 also illustrates that virtual functions 120 are presented to virtual machine 108 by physics NIC 110, and the virtual machine corresponds to virtual work(
Can driver 108c.Data path 114 drives the virtual functions at the virtual functions 120 and virtual machine 108 at physics NIC 110
Dynamic device 108c is connected.More than one virtual functions can be presented to virtual machine 108 by physics NIC 110, and/or can present additional
Virtual functions are to additional virtual machine.In general, each virtual machine can directly access distributed virtual functions.It is for example, virtual
Machine can be used its virtual function driver come with the virtual functions of being distributed at physics NIC110 transmit network packet without
Intervention from main frame 102.Processor use and network latency can be reduced by so doing.For example, virtual machine 108 and physics
Virtual functions 120 and virtual functions 108c can be used to pass through the direct communication of data path 114 for NIC 110.
As indicated previously, in certain embodiments, physics NIC 110 may include the PCIe hardware for following SRIOV.Herein
In class embodiment, one or more of virtual functions 120 or physical function 122 may include PCIe functions.However, it should lead
Meeting, principles described herein can be applied to various hardware devices, and be not limited to follow SRIOV equipment or PCIe device.
In certain embodiments, one or more virtual machines of the trustship at main frame 102 can be according to general rule/flow model
With regular (transmitting to and or from) and being possible to associated with flowing (transmitting to and or from).As illustrated, main frame 102 includes
Virtual switch 104.Virtual switch 104 is configured to according to general rule/flow model inspection and manipulated by any trustship
The network packet that virtual machine sends and receives.For example, rule and stream, virtual switch 104 based on definition can allow to be grouped, hinder
Gear packet, re-route packet, execution NAT or perform any other packet for being applied to used networking technology and equipment
Inspection/manipulation.
As used herein, point of the rule definition based on one or more rule conditions and one or more rule actions
Group Flow Policy (or one part).In certain embodiments, rule is different because of specific virtual machine.Rule can be defined by keeper,
Or it can be defined by higher system.In certain embodiments, rule is static or relative quiescent.In certain embodiments,
Rule is stored in rule set and is arranged to linear matched.
Tuple can be used to define in rule condition, and tuple includes field and the value of matching.Tuple may include to be suitable to be used
Procotol and hardware device any field combination.Tuple may include such as source and/or destination network address (for example,
IP address when using IP), source and/or destination port, agreement be (for example, transmission control protocol (TCP), user datagram
Agreement (UDP)), source and/or destination hardware address (for example, ethernet mac address) or its combination.For example, exemplary rules
Condition can be defined according to five-tuple, such as ' 192.168.0.*, *, *, *, TCP ', and it will be matched on 192.168.0.* networks
There is any source IP address, any source port, any destination IP address, any destination port and use Transmission Control Protocol
Any network packet.In certain embodiments, tuple can be not only related to stream, and related to packet condition.For example, tuple
It may include the field related to IP type of service (ToS).Those skilled in the art will realize that other tuples are also possible
, including the tuple relevant with still undeveloped networking technology.
Rule action may include any appropriate packet route and/or manipulation operations.For example, some exemplary rules actions
May include to refuse, allow, Network address translators (NAT), mapping, metering, decapsulation, encapsulation etc..Those skilled in the art will
, it is realized that various other rule actions are also possible, including the action relevant with still undeveloped networking technology.
Rule can be used to define abundant packet transaction strategy set.For example, use rule condition (tuple) and rule
Action, rule may specify that the UDP packets from particular ip address are allowed to.In another example, rule, which may specify, is sent to
The TCP packets of any destination with designated port are subjected to NAT.Above example five-tuple example and " permission " are acted
Combined, exemplary rules can be defined as ' allow 192.168.0.*, *, *, *, TCP ', it is meant that 192.168.0.* nets
There is any source IP address, any source port, any destination IP address, any destination port on network and use Transmission Control Protocol
Any network packet should all be allowed to.
As used herein, stream is the dynamical state of rule-based establishment.For example, when network packet and rule match,
The rule creation stream can be based on.In this way, similar to rule, stream can also define according to condition (tuple) and action.Stream storage is closed
In the context of network connection, and can be used for determining how based on the previous packet in stream or context come processing stream or context
In current group.Stream can be subjected to time-out.In certain embodiments, stream is stored in one or more flow tables, such as incoming
Flow table and/or outflow flow table.For example, when network packet matches with exemplary ' 192.168.0.*, *, *, *, TCP ' rule,
Corresponding stream can be created in one or more appropriate flow tables.In certain embodiments, the tuple based on stream is (for example, use one
Individual or multiple hash) carry out index stream.
Along these lines, Fig. 1 shows that virtual switch includes the state 106 for virtual machine 108, and the state may include
Various types of states, all outflow rule set 106a as shown, incoming rule set 106b, outflow flow table 106c and afferent stream
Table 106d.Outflow rule set 106a defines the one or more rule of the packet suitable for just being sent by virtual machine 108, and is passed to
Rule set 106b defines the one or more rule of the packet suitable for just representing the reception of virtual machine 108.When packet and corresponding rule
When the rule then concentrated matches, stream can be created in flow table 106c and/or incoming flow table 106d is spread out of.It will be appreciated that one
In the case of a little, state 106 may include the subset of shown state.
As an example, when virtual switch 104 (for example, from physics NIC 110 or the virtual machine from trustship) receive with
During the network packet not matched with the stream in appropriate flow table (106c, 106d) that virtual machine 108 is associated, virtual switch
104 can check the appropriate rule set (that is, for the packet that just represents the reception of virtual machine 108 incoming rule set or for just by
The outflow rule set 106a for the packet that virtual machine 108 is sent) find matched rule.If virtual switch 104 finds matching
Rule, then virtual switch 104 packet can be taken as defined in the rule action (such as, it is allowed to/stop/NAT etc.).
If virtual switch 104 have found the rule of matching, virtual switch 104 can also outflow flow table 106c and/
Or stream (or stream to) is created in incoming flow table 106d to be used in the follow-up packet in handling the stream/context.Divide for example, working as
When group matching spreads out of the rule in rule set 106a, virtual switch 104 can be in outflow flow table 106c and/or incoming flow table 106d
It is middle to create stream (as shown in the arrow as connection outflow rule set 106a and flow table 106c, 106d).Or when group match is passed to
During rule in rule set 106b, virtual switch 104 can create stream in flow table 106c and/or incoming flow table 106d is spread out of
(as shown in incoming arrow between rule set 106b and flow table 106c, 106d).It will be appreciated that pass through stream in the opposite direction
Stream is created in table, virtual switch can realize stateful fire wall.
The outflow stream that stream mode can be also unloaded at physics NIC 110 virtual bridge 112 by virtual switch 104 is slow at a high speed
112a and/or afferent stream cache 112b is deposited, such as by the dotted line between outflow flow table 106c and outflow stream cache 112a
Shown in dotted arrow between arrow and incoming flow table 106d and afferent stream cache 112b.For example, virtual switch 104
The one or more requests for asking to create stream at stream cache 112a, 112b can be sent to by thing by data path 118
Manage NIC 100.In some cases, stream mode is unloaded to physics NIC 110 and enables virtual bridge 112 and virtual switch
104 are performed separately packet transaction, thus reduce the processor at main frame 102 and use.For example, it is discharged into physics NIC in stream
After 110, physics NIC 110 can receive same flow follow-up packet (for example, by data path 114 from virtual machine 108 or
By external interface 126 from another computer system).In the case, virtual bridge 112 can be by the follow-up packet and the appropriate stream
Stream mode in cache 112a, 112b matches, and performs the action defined in the stream itself, without first should
Send packets to virtual switch 104.
Using aforementioned arrangements, virtual function driver 108c can be used to be spread out of by data path 114 for virtual machine 108
Network packet is sent to physics NIC 110 virtual functions 120.After the network packet is received, the search outflow of virtual bridge 112
Stream cache 112a is flowed with finding matching.If virtual bridge 112 finds matching stream in outflow stream cache 112a, empty
Plan bridge 112 takes the action defined in the stream.It is grouped manipulation operations for example, virtual bridge 112 is executable and/or the network can be divided
Group is forwarded to destination virtual machine or is forwarded to another computer system by external interface 126.
Otherwise, if virtual bridge 112 does not find matching stream, two alternative acts in outflow stream cache 112a
It can occur.In the first embodiment, virtual bridge 112 is refused to the network packet of virtual machine 108 (for example, passing through data path
114).The network packet is then forwarded to virtual switch 104 by virtual machine 108 by virtual bus 116.In second embodiment
In, the network packet is sent to physical function driver by virtual bridge 112 using physical function 122 by data path 118
124.Physical function driver 124 and then the network packet is route to virtual switch 104.In any embodiment, in void
After plan interchanger 104 receives the network packet, virtual switch 104 is attempted the network packet with spreading out of in flow table 106c
Stream matches.If the network packet does not match with the stream in outflow flow table 106c, virtual switch 104 is attempted the net
Network is grouped to match with the rule in outflow rule set 106a.If have found matched rule in rule set 106a is spread out of,
Virtual switch 104 take as defined in the matched rule suitably action (such as, it is allowed to/stop/NAT etc.) and can flow
One or both of table 106c/106d place creates one or more streams, and it is possible in one of stream cache 112a/112b or
Both place's establishments are one by one or multiple streams.
Same to use aforementioned arrangements, physics NIC 110 can represent virtual machine 108 and receive incoming network packet (for example, passing through
Respective virtual function is from another virtual machine or by external interface 126 from another computer system).Receiving the network packet
Afterwards, virtual bridge 112 searches for afferent stream cache 112b to find matching stream.If virtual bridge 112 is in afferent stream cache
Found in 112b matching stream, then virtual bridge 112 take defined in the stream appropriate action (such as, it is allowed to/stop/NAT etc.).Example
Such as, virtual functions 120 and data path 114 can be used to forward the packet to the virtual work(at virtual machine 108 in virtual bridge 112
Can driver 108c.If virtual bridge 112 does not find matching stream in afferent stream cache 112b, virtual bridge 112 makes
Forwarded the packet to physical function 122 and data path 118 or virtual functions 120 and data path 114 at main frame 120
Virtual switch 104.The then processing as above described in the context of outflow network packet of virtual switch 104
The packet.
It will be appreciated that outflow stream cache 112a and afferent stream cache 112a can only represent complete flow table and (that is, pass
Go out flow table 106c and incoming flow table 106d) a part or a subset.For example, physics NIC 110 can due to cost or other set
Meter constrains and has limited memory.In this way, only the one of storage flow table 106c/106d in cache 112a/112b is flowed
Part reduces the amount that flow table is unloaded to the memory needed for physics NIC 110.Because outflow stream cache 112a and biography
The cache that becomes a mandarin 112a may not include complete stream status data, so when slow at a high speed when virtual bridge 112 manages packet everywhere
Deposit not middle possible generation.When cache not middle generation, virtual bridge 112 forwards the packet to virtual switch 104 to enter
Row additional treatments.It will be appreciated that other kinds of cache replacement/flushing policy can be used.For example, stream mode can be at a high speed
It is placed on after the not middle generation of caching on physics NIC 110, entry can be after inactive amount be made a reservation for from the mistakes of physics NIC 110
Phase etc..
In addition, in certain embodiments, only certain form of stream is stored at physics NIC 110.For example, virtual bridge
112 can only support to perform the operations/acts of limited kinds.In this way, the relevant stream of operations/acts only supported with virtual bridge 112
It can be stored at physics NIC 110.In these embodiments, any other operations/acts quilt at virtual switch 104
Disposal.
Fig. 2 illustrates the exemplary method 200 for handling network packet for the virtual machine that is performed in the computer systems division
Flow chart.Method 200 describes the component with reference to computer architecture 100 and data.
The virtual switch that method 200 is included in main partition safeguards the action of one or more rule sets for virtual machine
(action 202).For example, the virtual switch 104 at main frame 102 can safeguard the state 106 for virtual machine 108.State 106 can
Including one or both of the outflow rule set 106a for virtual machine 108 or the incoming rule set 106b for virtual machine 108.Shape
State 106 may also include one or more flow tables for virtual machine 108, such as spread out of flow table 106c and incoming flow table 106d.To the greatest extent
Pipe is not shown, and virtual switch 104 can store the state (for example, rule set, flow table etc.) for other additional virtual machines.
Method 200 also includes the action (action 204) that physics NIC safeguards one or more flow tables for the virtual machine.
For example, physics NIC 110 can store the outflow stream cache 112a and/or afferent stream cache for virtual machine 208
112b.Flow the completely or only a part of of any flow table that cache can be at storage host 102.Although being not shown, but physics
NIC 110 can store the flow table for other additional virtual machines.
Method 200 also includes the action (action 206) that physics NIC receives the network packet associated with the virtual machine.Example
Such as, physics NIC can receive the network packet from another computer system by external interface 126, can pass through virtual functions 120
The network packet for carrying out self virtualizing machine 108 is received, or another virtual work(associated with another virtual machine at main frame 220 can be passed through
The network packet from the virtual machine can be received.
Method 200 also includes the action (action 208) that network packet is handled for the virtual machine.For example, virtual bridge 112 can be located
The network packet managed the network packet received from virtual machine 108 or represent the reception of virtual machine 108 (that is, is just received by virtual machine 108
Network packet).
Action 208 includes the action (action that physics NIC compares the network packet with one or more flow tables
210).If for example, the packet is just sent by virtual machine 108, virtual bridge 112 can be slow at a high speed with outflow stream by the network packet
Deposit 112a to compare, or if just representing virtual machine 108 receives the packet, then virtual bridge 112 can be by the network packet with passing
The cache that becomes a mandarin 112b compares.
Action 208 also includes, when the stream in the network packet and one or more flow tables matches, physics NIC
The action (action 212) acted based on the matching stream to the network packet execution.If for example, the network packet and outflow stream are high
Stream in speed caching 112a or afferent stream cache 112b matches, then virtual bridge 112 it is executable specify in this stream it is dynamic
Make (such as, it is allowed to, refusal, NAT etc.).
Action 208 also includes, when the network packet does not match with the stream in one or more flow tables, the physics
The network packet is transferred to the main frame to compare the action (action 214) that one or more rule sets are handled by NIC.Example
Such as, match if network packet does not flow the stream in cache 112a or afferent stream cache 112b with outflow, virtually
Bridge 112 can be by the virtual switch 104 at the packet transmission to main frame 102 for additional treatments.In certain embodiments, virtually
The network packet is sent directly to main frame 102 by bridge 112 using physical function 122 and data path 118.In other embodiment
In, virtual bridge 112 will be received and sent to main frame 102 using virtual functions 120 and data path 114 between the network packet (that is, to be passed through
Virtual machine 108 and by virtual bus 116).
When being received, the network packet can be transferred to virtual switch 104 by main frame 102.Virtual switch 104 and then
The network packet and state 106 (that is, flow table, rule set) can be compared and take appropriate action.If for example, network point
Group matches with the stream at main frame 102, then virtual switch 104 can take and suitably act (such as, it is allowed to, refusal, NAT etc.) simultaneously
Stream cache that may be more at new physicses NIC 110.If network packet does not match (or such as with the stream at main frame 102
Appropriate stream is not present in fruit), then the network packet can be compared, takes any by virtual switch 104 with appropriate rule set
With appropriate action specified in rule and one or more new streams may be created (for example, in state 206 and physics NIC
At 110).
Fig. 3 illustrates the additional example method 300 for handling network packet for the virtual machine that is performed in computer systems division
Flow chart.Method 300 describes the component with reference to computer architecture 100 and data.
The virtual switch that method 300 is included in main partition safeguards the action of one or more rule sets for virtual machine
Action (action 302).For example, the virtual switch 104 at main frame 102 can safeguard the state 106 for virtual machine 108.Shape
State 106 may include one of incoming rule set 106b for the outflow rule set 106a of virtual machine 108 or for virtual machine 108 or
Both.
Method 300 also safeguards the action of the action of one or more flow tables for the virtual machine including the virtual switch
(action 304).For example, state 106 may include for the outflow flow table 106c of virtual machine 108 or for the incoming of virtual machine 108
One or both of flow table 106d.
At least a portion of one or more flow tables is also offloaded to the physics by method 300 including the virtual switch
NIC action (action 306).For example, one or more stream can be offloaded to outflow by virtual switch 104 from outflow flow table 106c
Flow cache 112a.Additionally or alternatively, virtual switch 104 can unload one or more stream from incoming flow table 106d
To afferent stream cache 112b.
It is the action (action 308) that the virtual machine handles network packet that method 300, which also includes the virtual switch,.For example,
Virtual switch 104 can handle the network packet for receiving or representing the reception of virtual machine 108 from virtual machine 108.
Action 308 includes the virtual switch and receives the dynamic of the network packet from one of the virtual machine or physics NIC
Make (action 310).For example, virtual switch 104 from virtual machine 108 or can pass through data path 118 by virtual bus 216
(and physical function driver 124) receives network packet from physics NIC 110.
Action 308 also includes the virtual switch by the network packet and the regular phase in one or more rule sets
The action (action 312) matched somebody with somebody.If for example, the network packet is just sent by virtual machine 108, virtual switch 104 can should
Packet control outflow rule set 106a is matched.Alternatively, it is empty if just representing virtual machine 108 receives the network packet
The incoming rule set 106b of packet control can be matched by intending interchanger 104.
Action 308 also includes, and based on the network packet and the rule are matched, the virtual switch is at this or more
The action (action 314) of stream is created in individual flow table.For example, the network packet is being compareed into outflow rule set 106a or incoming rules
After rule in one of collection 106b is matched, virtual switch can be based on outflow flow table 106c and/or incoming flow table 106d
In the one or more streams of rule creation.
Action 308 also includes, and based on the network packet and the rule are matched, the stream is unloaded to by the virtual switch
Physics NIC action (action 316).For example, being based on matched rule, it is high that stream can be unloaded to outflow stream by virtual switch 104
Speed caching 112a and/or afferent stream cache 112b.
Fig. 4 diagrams promote as networked devices virtualize and packet transaction is unloaded into physics NIC and relative to computer
Architecture 100 provides the replacement Computer Architecture 400 of one or more potential optimizations.In certain embodiments, calculate
Machine architecture 400 can be combined with Computer Architecture 100.As illustrated, Computer Architecture 400 includes being similar to
The component of Computer Architecture 100, such as main frame 402, virtual machine 408 and physics NIC 410.However, in computer body
In architecture 400, the virtual NIC driver 408b at virtual machine 408 includes outflow stream list 408d.So as to virtual NIC drivings
Device 408b is safeguarded on all or part of information in the outflow stream.In this way, even incited somebody to action with virtual function driver 408c
Network packet is sent to before virtual functions 420, and virtual NIC driver 408b can be based on outflow stream list 408d and determine the network
Whether packet matches with outflow stream.If finding matching, the network packet can be also matched in outflow stream cache 412a
Stream (if the stream has been discharged into physics NIC 410).When based on the list 408d packets of outflow stream not with flowing phase
During matching, the packet can be forwarded directly to virtual switch 404 by virtual NIC driver 408b, without first sending out the packet
Deliver to physics NIC 410.
In some cases, virtual machine 408 can be not trusted entities.Therefore, if the packet can finally be sent
Still determined to destination by the virtual bridge 412 at physics NIC 410 and/or virtual switch 404.For example, even in biography
Go out to flow in list 408d to have stream and network packet is sent to physics NIC 410, virtual bridge 412 and still compareed by virtual machine 408
Outflow flows cache 412 to verify the packet.
In some embodiments, it may be desirable to the part that only storage outflow is flowed in outflow stream list 408d.For example, pass
Some information gone out in stream are probably (for example, IP address that will be used for NAT) and as it was previously stated, virtual machine 408 of secrecy
It is probably not trusted entities.In this way, outflow stream list 408d can include the stream list without action message (that is, for that will be grouped
Match the conditional information of stream).Therefore outflow stream list 408d can be provided only is enough to make virtual NIC driver 408b make this
Packet is sent to the information of the decision of physics NIC 410 or main frame 402.
Fig. 5 diagrams include the example computer architecture 500 of each layer of exemplary multi-layer virtual switch.It is for example, virtual
Interchanger 104 includes each layer of the rule and stream for each virtual machine.Shown each layer include independent rule set and
The set of flow table.As illustrated, for example, these layers may include layer 502 and layer 504.Network packet is based on the network packet just quilt
Send or receive to cross these layers in one of both direction.For example, when just representing virtual machine reception network packet, should
Packet can from bottom-up cross these layers (that is, from layer 504 to layer 502, as illustrated using an arrow 506).Relatively, when network point
When group is just sent from virtual machine, the packet can down cross these layers (that is, from layer 502 to layer 504, such as arrow from top layer
Shown in 508).
In certain embodiments, each layer before next layer is forwarded the packet to by network packet and their own
Stream/rule set matches and takes any appropriate action.For example, packet can be decapsulated at layer 504 and then in layer 502
Place is subjected to NAT operations.In certain embodiments, if take " stop " act, the packet stop cross these layers and by
Abandon.Although virtual switch 104 may include multilayer flow table, but these are flowed when being unloaded to physics NIC 110 generally by flat
The storage of square formula.
Correspondingly, the invention provides the general rule and flow model for enabling stream to be discharged into physics NIC.Stream is unloaded
Load enables some packet transactions to be performed at physics NIC, and eliminates the virtual switch of some packet transmissions to main frame
Machine is come the needs that are handled.In this way, the present invention can reduce with for the virtual machine associated CPU of processing network packet using and
Stand-by period.
The present invention can be embodied as other concrete forms without departing from its spirit or essential characteristics.Described embodiment exists
All aspects should all be to be considered merely as illustrative and not restrictive.Therefore, the scope of the present invention by appended claims and
Non- instruction described above.All changes fallen into the implication and scope of the equivalents of claims should be by claims
Scope covered.
Claims (10)
1. including the computer systems division of one or more processors and system storage, the computer system also includes thing
Reason NIC NIC simultaneously performs main partition, a kind of to be used to be that the virtual machine performed in the computer systems division handles network
The method of packet, methods described include:
Safeguard the action of one or more rule sets for virtual machine in the main partition;
The physics NIC safeguards the action of one or more flow tables for the virtual machine, one or more of flow table bases
In one or more of rule sets;And
The physics NIC receives the action of the network packet associated with the virtual machine;
The action of the network packet is handled for the virtual machine, including:
The action that the physics NIC compares the network packet with one or more of flow tables, and
When stream in the network packet and one or more of flow tables matches, the physics NIC is based on matching stream pair
The action of the network packet execution action, and
When the network packet does not match with the stream in one or more of flow tables, the physics NIC is by the network
Packet is transferred to the main partition to compare the action that one or more of rule sets are handled, and the network packet passes through
The virtual machine is passed to the main partition.
2. the method as described in claim 1, it is characterised in that also include, when the network packet not with it is one or more
When stream in individual flow table matches, the main partition compares the network packet with one or more of rule sets dynamic
Make.
3. method as claimed in claim 2, it is characterised in that in the network packet and one or more of rule sets
Rule when matching, the action that the main partition is acted based on matched rule to the network packet execution.
4. method as claimed in claim 3, it is characterised in that in the network packet and one or more of rule sets
Rule when matching, the main partition creates at the physics NIC one or more in one or more of flow tables
The action of stream.
5. the method as described in claim 1, it is characterised in that one for the virtual machine is also safeguarded including the main partition
The action of individual or multiple flow tables, and the one or more of flow tables safeguarded wherein at the physics NIC be included in it is described
The subset for the one or more of flow tables safeguarded at main partition.
6. a kind of be used to be the method in the virtual machine processing network packet of computer systems division execution, methods described includes:
Virtual switch safeguards the action of one or more rule sets for virtual machine, and the virtual switch is advised including multilayer
Then collect, every layer of independent set for including rule set;
The virtual switch safeguards the action of one or more flow tables for the virtual machine;
At least a portion of one or more of flow tables is offloaded to physics NIC action by the virtual switch;And
The virtual switch is the action that the virtual machine handles network packet, including:
The virtual switch receives the network packet from one of the virtual machine or the physics NIC;
The virtual switch matches the network packet and the rule in one or more of rule sets, including described
Network packet matches the rule set of the network packet and their own through the layer and each layer;And
Based on the network packet and the rule are matched:
The virtual switch creates stream in one or more of flow tables;And
The stream is unloaded to the physics NIC by the virtual switch.
7. method as claimed in claim 6, it is characterised in that safeguard the action of one or more rule sets for virtual machine
Including safeguarding incoming rule set and spreading out of the action of rule set.
8. method as claimed in claim 6, it is characterised in that the virtual switch is that the virtual machine handles network packet
Action also include:
The virtual switch is based on the rule and performs at least one action to the network packet.
9. method as claimed in claim 8, it is characterised in that at least one action includes packet inspection or packet manipulates
One or more of operation.
10. a kind of computer system, including:
One or more processors;
System storage;
Physical network interface card NIC;And
One or more computer-readable storage mediums of computer executable instructions, the computer executable instructions are stored with above
Virtual switch is performed when by one or more of computing devices, the virtual switch is configured to:
Performed in the main partition of the computer system;
Safeguard that incoming rule set and outflow rule set, the virtual switch for virtual machine include multilayer rule set, every layer
Independent set including rule set;
Safeguard the incoming flow table and outflow flow table for the virtual machine;
At least a portion of one or more of the incoming flow table or the outflow flow table is unloaded to the physics NIC's
Virtual bridge;And
Network packet is handled for the virtual machine, including:
The network packet is received from one or more of the virtual machine or the physics NIC;
The network packet and the rule in one of the incoming rule set or the outflow rule set are matched, including it is described
Network packet matches the rule set of the network packet and their own through the layer and each layer;And
Based on the network packet and the rule are matched:
Stream is created in one or more of described incoming flow table or the outflow flow table at the virtual switch;And
One of incoming flow table or outflow flow table for the stream being unloaded at the virtual bridge of the physics NIC are more
Person.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201261613824P | 2012-03-21 | 2012-03-21 | |
| US61/613,824 | 2012-03-21 | ||
| US13/551,064 US8930690B2 (en) | 2012-03-21 | 2012-07-17 | Offloading packet processing for networking device virtualization |
| US13/551,064 | 2012-07-17 | ||
| PCT/US2013/029222 WO2013142041A1 (en) | 2012-03-21 | 2013-03-06 | Offloading packet processing for networking device virtualization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104205080A CN104205080A (en) | 2014-12-10 |
| CN104205080B true CN104205080B (en) | 2018-04-10 |
Family
ID=49213566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201380015731.7A Active CN104205080B (en) | 2012-03-21 | 2013-03-06 | Unloading packet transaction is virtualized for networked devices |
Country Status (7)
| Country | Link |
|---|---|
| US (1) | US8930690B2 (en) |
| EP (1) | EP2828760B1 (en) |
| JP (1) | JP6254574B2 (en) |
| KR (1) | KR101969194B1 (en) |
| CN (1) | CN104205080B (en) |
| ES (1) | ES2720759T3 (en) |
| WO (1) | WO2013142041A1 (en) |
Families Citing this family (78)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5691062B2 (en) * | 2011-04-04 | 2015-04-01 | 株式会社日立製作所 | Virtual computer control method and management computer |
| US9397954B2 (en) | 2012-03-26 | 2016-07-19 | Oracle International Corporation | System and method for supporting live migration of virtual machines in an infiniband network |
| WO2013164403A1 (en) * | 2012-05-02 | 2013-11-07 | Nokia Siemens Networks Oy | Methods and apparatus |
| US9565213B2 (en) | 2012-10-22 | 2017-02-07 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
| US9137205B2 (en) | 2012-10-22 | 2015-09-15 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
| US9203806B2 (en) | 2013-01-11 | 2015-12-01 | Centripetal Networks, Inc. | Rule swapping in a packet network |
| US9124552B2 (en) | 2013-03-12 | 2015-09-01 | Centripetal Networks, Inc. | Filtering network data transfers |
| US9990221B2 (en) | 2013-03-15 | 2018-06-05 | Oracle International Corporation | System and method for providing an infiniband SR-IOV vSwitch architecture for a high performance cloud computing environment |
| US9094445B2 (en) | 2013-03-15 | 2015-07-28 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
| US10230794B2 (en) | 2013-03-15 | 2019-03-12 | Oracle International Corporation | System and method for efficient virtualization in lossless interconnection networks |
| US20150012606A1 (en) * | 2013-07-02 | 2015-01-08 | Dell Products, Lp | System and Method to Trap Virtual Functions of a Network Interface Device for Remote Direct Memory Access |
| US9781041B2 (en) * | 2013-07-24 | 2017-10-03 | Dell Products Lp | Systems and methods for native network interface controller (NIC) teaming load balancing |
| CN104753885B (en) | 2013-12-30 | 2018-06-26 | 杭州华为数字技术有限公司 | A kind of matched method, apparatus of flow table and OpenFlow exchange systems |
| US10397105B2 (en) * | 2014-03-26 | 2019-08-27 | Oracle International Corporation | System and method for scalable multi-homed routing for vSwitch based HCA virtualization |
| US10261817B2 (en) * | 2014-07-29 | 2019-04-16 | Nxp Usa, Inc. | System on a chip and method for a controller supported virtual machine monitor |
| US10237354B2 (en) * | 2014-09-25 | 2019-03-19 | Intel Corporation | Technologies for offloading a virtual service endpoint to a network interface card |
| EP3235199B1 (en) * | 2014-12-19 | 2020-10-07 | Hewlett-Packard Enterprise Development LP | Multicast advertisement message for a network switch in a storage area network |
| US10812632B2 (en) * | 2015-02-09 | 2020-10-20 | Avago Technologies International Sales Pte. Limited | Network interface controller with integrated network flow processing |
| US9264370B1 (en) | 2015-02-10 | 2016-02-16 | Centripetal Networks, Inc. | Correlating packets in communications networks |
| US9866576B2 (en) | 2015-04-17 | 2018-01-09 | Centripetal Networks, Inc. | Rule-based network-threat detection |
| US10356012B2 (en) * | 2015-08-20 | 2019-07-16 | Intel Corporation | Techniques for routing packets among virtual machines |
| US10558482B1 (en) | 2015-09-30 | 2020-02-11 | Amazon Technologies, Inc. | Client network instances for resources in provider network environments |
| KR102148371B1 (en) * | 2015-10-28 | 2020-08-26 | 에스케이텔레콤 주식회사 | Method and apparatus for operating network function virtualization |
| US10298720B1 (en) | 2015-12-07 | 2019-05-21 | Amazon Technologies, Inc. | Client-defined rules in provider network environments |
| US9912774B2 (en) * | 2015-12-22 | 2018-03-06 | Intel Corporation | Accelerated network packet processing |
| US9917856B2 (en) | 2015-12-23 | 2018-03-13 | Centripetal Networks, Inc. | Rule-based network-threat detection for encrypted communications |
| US11729144B2 (en) | 2016-01-04 | 2023-08-15 | Centripetal Networks, Llc | Efficient packet capture for cyber threat analysis |
| EP3694159A1 (en) * | 2016-08-03 | 2020-08-12 | Huawei Technologies Co., Ltd. | Network interface card, computing device, and data packet processing method |
| EP3340064B1 (en) * | 2016-08-03 | 2020-12-02 | Huawei Technologies Co., Ltd. | Network interface card, computer device and data packet processing method |
| US10193968B2 (en) | 2016-10-14 | 2019-01-29 | Google Llc | Virtual router with dynamic flow offload capability |
| US10715585B2 (en) | 2017-03-10 | 2020-07-14 | Microsoft Technology Licensing, Llc | Packet processor in virtual filtering platform |
| CN110050447B (en) * | 2017-06-30 | 2021-02-12 | 华为技术有限公司 | Data processing method, network interface card and server |
| US10503899B2 (en) | 2017-07-10 | 2019-12-10 | Centripetal Networks, Inc. | Cyberanalysis workflow acceleration |
| US11233777B2 (en) | 2017-07-24 | 2022-01-25 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
| US10284526B2 (en) | 2017-07-24 | 2019-05-07 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
| US10547553B2 (en) * | 2017-09-17 | 2020-01-28 | Mellanox Technologies, Ltd. | Stateful connection tracking |
| US10637828B2 (en) * | 2017-09-17 | 2020-04-28 | Mellanox Technologies, Ltd. | NIC with stateful connection tracking |
| US10382346B2 (en) | 2017-10-24 | 2019-08-13 | Cisco Technology, Inc. | Method and device for offloading processing of data flows |
| CN115037575A (en) | 2017-12-26 | 2022-09-09 | 华为技术有限公司 | Message processing method and device |
| CN113542125B (en) | 2018-03-31 | 2022-11-25 | 华为技术有限公司 | Method and device for forwarding message based on integrated flow table |
| US10333898B1 (en) | 2018-07-09 | 2019-06-25 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
| US10834044B2 (en) * | 2018-09-19 | 2020-11-10 | Amazon Technologies, Inc. | Domain name system operations implemented using scalable virtual traffic hub |
| US10831523B2 (en) * | 2018-10-08 | 2020-11-10 | Microsoft Technology Licensing, Llc | RDMA with virtual address space |
| US20210336960A1 (en) * | 2018-12-10 | 2021-10-28 | Drivenets Ltd. | A System and a Method for Monitoring Traffic Flows in a Communications Network |
| CN110149231B (en) * | 2019-05-21 | 2022-05-31 | 优刻得科技股份有限公司 | Method, device, storage medium and equipment for updating virtual switch |
| US11436053B2 (en) | 2019-05-24 | 2022-09-06 | Microsoft Technology Licensing, Llc | Third-party hardware integration in virtual networks |
| CN112019431B (en) * | 2019-05-29 | 2023-04-18 | 阿里巴巴集团控股有限公司 | Method, device and equipment for processing forwarding rule |
| US11042392B2 (en) | 2019-06-14 | 2021-06-22 | Microsoft Technology Licensing, Llc | Network policy and flow state save/restore for highly available servicing |
| US11743135B2 (en) | 2019-07-23 | 2023-08-29 | Vmware, Inc. | Presenting data regarding grouped flows |
| US11349876B2 (en) * | 2019-07-23 | 2022-05-31 | Vmware, Inc. | Security policy recommendation generation |
| US11398987B2 (en) | 2019-07-23 | 2022-07-26 | Vmware, Inc. | Host-based flow aggregation |
| US11340931B2 (en) | 2019-07-23 | 2022-05-24 | Vmware, Inc. | Recommendation generation based on selection of selectable elements of visual representation |
| US11436075B2 (en) | 2019-07-23 | 2022-09-06 | Vmware, Inc. | Offloading anomaly detection from server to host |
| LU101361B1 (en) * | 2019-08-26 | 2021-03-11 | Microsoft Technology Licensing Llc | Computer device including nested network interface controller switches |
| US11831663B2 (en) * | 2019-10-10 | 2023-11-28 | Intel Corporation | Secure networking protocol optimization via NIC hardware offloading |
| US11321213B2 (en) | 2020-01-16 | 2022-05-03 | Vmware, Inc. | Correlation key used to correlate flow and con text data |
| CN113285892A (en) * | 2020-02-20 | 2021-08-20 | 华为技术有限公司 | Message processing system, message processing method, machine-readable storage medium, and program product |
| US11474857B1 (en) * | 2020-05-06 | 2022-10-18 | Amazon Technologies, Inc. | Accelerated migration of compute instances using offload cards |
| US11934330B2 (en) * | 2020-05-08 | 2024-03-19 | Intel Corporation | Memory allocation for distributed processing devices |
| US11740919B2 (en) * | 2020-05-18 | 2023-08-29 | Dell Products L.P. | System and method for hardware offloading of nested virtual switches |
| US20230195482A1 (en) * | 2020-07-21 | 2023-06-22 | Vmware, Inc. | Offloading Packet Processing Programs from Virtual Machines to a Hypervisor and Efficiently Executing the Offloaded Packet Processing Programs |
| US11750532B2 (en) | 2020-07-21 | 2023-09-05 | Vmware, Inc. | Logical network packet handling on physical network interface controller (PNIC) |
| US11811559B2 (en) * | 2020-07-21 | 2023-11-07 | Vmware, Inc. | Logical network packet handling on physical network interface controller (PNIC) |
| KR102217114B1 (en) * | 2020-07-24 | 2021-02-18 | 넷록스 주식회사 | Method for controlling of accelerating edge platform network and electronic device using the same |
| US11362996B2 (en) | 2020-10-27 | 2022-06-14 | Centripetal Networks, Inc. | Methods and systems for efficient adaptive logging of cyber threat incidents |
| CN114531405B (en) * | 2020-10-31 | 2023-06-06 | 华为技术有限公司 | Flow table processing method and related equipment |
| KR102479757B1 (en) * | 2020-11-24 | 2022-12-22 | 한국과학기술원 | Offloading method and system of network and file i/o operation, and a computer-readable recording medium |
| US11363119B1 (en) | 2020-12-03 | 2022-06-14 | Wormhole Labs, Inc. | Remote processing of augmented reality workloads |
| US11785032B2 (en) | 2021-01-22 | 2023-10-10 | Vmware, Inc. | Security threat detection based on network flow analysis |
| CN114979028B (en) * | 2021-02-26 | 2024-02-23 | 中移(苏州)软件技术有限公司 | Data packet processing method, device and storage medium |
| US11824773B2 (en) | 2021-03-30 | 2023-11-21 | Amazon Technologies, Inc. | Dynamic routing for peered virtual routers |
| US11601365B2 (en) * | 2021-03-30 | 2023-03-07 | Amazon Technologies, Inc. | Wide area networking service using provider network backbone network |
| US11159546B1 (en) | 2021-04-20 | 2021-10-26 | Centripetal Networks, Inc. | Methods and systems for efficient threat context-aware packet filtering for network protection |
| US11831667B2 (en) | 2021-07-09 | 2023-11-28 | Vmware, Inc. | Identification of time-ordered sets of connections to identify threats to a datacenter |
| US11792151B2 (en) | 2021-10-21 | 2023-10-17 | Vmware, Inc. | Detection of threats based on responses to name resolution requests |
| KR102420610B1 (en) * | 2021-11-19 | 2022-07-13 | 넷록스 주식회사 | Method for packet data processing using multi layer caching strategy and electronic device for supporting the same |
| WO2023249748A1 (en) * | 2022-06-21 | 2023-12-28 | Vmware, Inc. | Accelerating data message classification with smart nics |
| US11928367B2 (en) | 2022-06-21 | 2024-03-12 | VMware LLC | Logical memory addressing for network devices |
Family Cites Families (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6904519B2 (en) | 1998-06-12 | 2005-06-07 | Microsoft Corporation | Method and computer program product for offloading processing tasks from software to hardware |
| US7190668B1 (en) * | 2001-11-27 | 2007-03-13 | Nokia Corporation | Method of anchoring flows |
| KR100429904B1 (en) * | 2002-05-18 | 2004-05-03 | 한국전자통신연구원 | Router providing differentiated quality-of-service and fast internet protocol packet classification method for the same |
| EP1547324A2 (en) * | 2002-09-30 | 2005-06-29 | Siemens Aktiengesellschaft | Method for partially maintaining packet sequences in connectionless packet switching with alternative routing |
| US7545809B2 (en) * | 2003-05-28 | 2009-06-09 | International Business Machines Corporation | Packet classification |
| US20050190779A1 (en) | 2004-03-01 | 2005-09-01 | Cisco Technology, Inc., A California Corporation | Scalable approach to large scale queuing through dynamic resource allocation |
| JP4343760B2 (en) * | 2004-04-28 | 2009-10-14 | 株式会社日立製作所 | Network protocol processor |
| US7936770B1 (en) | 2005-03-08 | 2011-05-03 | Enterasys Networks, Inc. | Method and apparatus of virtual class of service and logical queue representation through network traffic distribution over multiple port interfaces |
| US7656894B2 (en) | 2005-10-28 | 2010-02-02 | Microsoft Corporation | Offloading processing tasks to a peripheral device |
| US8230153B2 (en) * | 2006-01-20 | 2012-07-24 | Broadcom Corporation | Method and system for HBA assisted storage virtualization |
| US7701849B1 (en) | 2006-06-23 | 2010-04-20 | Juniper Networks, Inc. | Flow-based queuing of network traffic |
| US8006297B2 (en) * | 2007-04-25 | 2011-08-23 | Oracle America, Inc. | Method and system for combined security protocol and packet filter offload and onload |
| US8001278B2 (en) * | 2007-09-28 | 2011-08-16 | Intel Corporation | Network packet payload compression |
| US7792914B2 (en) * | 2008-01-14 | 2010-09-07 | Aten International Co., Ltd. | Server with network-based remote access and server management functions using reduced number of network connections |
| US7983257B2 (en) | 2008-07-18 | 2011-07-19 | Emulex Design & Manufacturing Corporation | Hardware switch for hypervisors and blade servers |
| US8385202B2 (en) | 2008-08-27 | 2013-02-26 | Cisco Technology, Inc. | Virtual switch quality of service for virtual machines |
| US7961726B2 (en) | 2008-10-07 | 2011-06-14 | Microsoft Corporation | Framework for optimizing and simplifying network communication in close proximity networks |
| US9740517B2 (en) * | 2008-12-29 | 2017-08-22 | Microsoft Technology Licensing, Llc | Dynamic virtual machine memory management |
| US9059965B2 (en) | 2009-06-30 | 2015-06-16 | Oracle America, Inc. | Method and system for enforcing security policies on network traffic |
| US8621460B2 (en) * | 2009-11-02 | 2013-12-31 | International Business Machines Corporation | Endpoint-hosted hypervisor management |
| US8537860B2 (en) | 2009-11-03 | 2013-09-17 | International Business Machines Corporation | Apparatus for switching traffic between virtual machines |
| WO2011068091A1 (en) | 2009-12-04 | 2011-06-09 | 日本電気株式会社 | Server and flow control program |
| US8234400B2 (en) | 2010-03-16 | 2012-07-31 | Microsoft Corporation | Shaping virtual machine communication traffic |
| US8739177B2 (en) | 2010-06-21 | 2014-05-27 | Intel Corporation | Method for network interface sharing among multiple virtual machines |
| US8804747B2 (en) * | 2010-09-23 | 2014-08-12 | Cisco Technology, Inc. | Network interface controller for virtual and distributed services |
| US8561065B2 (en) * | 2010-11-15 | 2013-10-15 | International Business Machines Corporation | Virtualization of vendor specific network interfaces of self-virtualizing input/output device virtual functions |
-
2012
- 2012-07-17 US US13/551,064 patent/US8930690B2/en active Active
-
2013
- 2013-03-06 WO PCT/US2013/029222 patent/WO2013142041A1/en active Application Filing
- 2013-03-06 KR KR1020147026247A patent/KR101969194B1/en active IP Right Grant
- 2013-03-06 JP JP2015501692A patent/JP6254574B2/en active Active
- 2013-03-06 CN CN201380015731.7A patent/CN104205080B/en active Active
- 2013-03-06 EP EP13764757.4A patent/EP2828760B1/en active Active
- 2013-03-06 ES ES13764757T patent/ES2720759T3/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| US20130254766A1 (en) | 2013-09-26 |
| KR20140143155A (en) | 2014-12-15 |
| EP2828760A4 (en) | 2015-11-11 |
| JP2015515798A (en) | 2015-05-28 |
| EP2828760A1 (en) | 2015-01-28 |
| EP2828760B1 (en) | 2019-01-16 |
| JP6254574B2 (en) | 2017-12-27 |
| ES2720759T3 (en) | 2019-07-24 |
| CN104205080A (en) | 2014-12-10 |
| US8930690B2 (en) | 2015-01-06 |
| KR101969194B1 (en) | 2019-08-13 |
| WO2013142041A1 (en) | 2013-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104205080B (en) | Unloading packet transaction is virtualized for networked devices | |
| US11695731B2 (en) | Distributed identity-based firewalls | |
| CN104052789B (en) | Method and system for the load balance of virtual networking system | |
| CN103718164B (en) | Virtual machine and service | |
| CN102334112B (en) | Method and system for virtual machine networking | |
| CN104685507B (en) | Virtual secure device architecture is provided to virtual cloud foundation structure | |
| CN1688989B (en) | High data rate stateful protocol processing method, device and system | |
| CN104717156B (en) | The method and system of the data flow in network is defined using NIC management software | |
| US20210243247A1 (en) | Service mesh offload to network devices | |
| CN110419200A (en) | Packet handler in virtual filter platform | |
| EP2920940B1 (en) | Method and device for data flow processing | |
| WO2017114286A1 (en) | Network management system based on hybrid cloud platform | |
| CN103650426B (en) | For carrying out the system and method that cloud bridge connects between public cloud and privately owned cloud | |
| CN104348740B (en) | Data package processing method and system | |
| CN107872392A (en) | Service function chain data and service function instance data are distributed in a network | |
| JP2021103895A (en) | Financial network | |
| CN102904729B (en) | The intelligent acceleration network card of more applications is supported according to agreement, port shunt | |
| CN104811392B (en) | For handling the method and system of the resource access request in network | |
| CN107409096A (en) | Self-adapting load balances | |
| CN105684357A (en) | Management of addresses in virtual machines | |
| CN103346981A (en) | Virtual exchange method, related device and computer system | |
| CN102143218B (en) | Web access cloud architecture and access method | |
| CN108366018A (en) | A kind of processing method of network data packets based on DPDK | |
| CN104811431B (en) | Data package processing method and device based on parallel protocol stack instance | |
| CN103067270B (en) | A kind of virtual machine exchange visit safety control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20171023 Address after: Washington State Applicant after: Micro soft technique license Co., Ltd Address before: Washington State Applicant before: Microsoft Corp. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |